Patch management software helps organizations acquire, test and install code to fix known vulnerabilities in operating systems and applications. It also helps them assess exposure and prioritize patches (given your specific environment), identify missing patches that need to be remediated and produce real-time reports for compliance and other auditing needs.
Since its emergence early this decade, patch management has become "operationalized," says Ronni Colville, an analyst at Gartner. For instance, the function is being subsumed into PC configuration management vendors' suites, such as Symantec (Altiris) and Avocent (LanDesk). However, she says, in most cases, these systems don't offer the richness of capability provided by point solutions.
Also see Patch Management Systems: Evaluation Criteria and Capabilities
Three main players remain in the point solution market: BigFix, Lumension and Shavlik. Still, Colville says, "no vendor can make a full business on just patch management, so they've brought in other functions." For instance, BigFix has broadened its security focus to include more configuration functions (such as inventory and software distribution), she says, while Lumension and Shavlik have begun to include functions such as security configuration, endpoint vulnerability assessment, and data leakage prevention.
Meanwhile, some companies continue to use Microsoft Windows Server Update Services (WSUS) to patch Windows operating systems and applications because it's free, but it's also more manually intensive.
Patch Management Package Selection: Two Prime Considerations
Configuration management versus patch management. A primary decision is whether to turn to a configuration management system for its patch capabilities or to a point product that may or may not also offer configuration capabilities. According to Colville, the reasons organizations choose the latter is they're not ready to commit to a full lifecycle configuration suite, or their current configuration management tools don't provide a best-of-breed patch management capability. The trade-off of having both in your environment, of course, is the need to deal with multiple agents and consoles.
Eric Maiwald, an analyst at Burton Group, suggests first evaluating your configuration management system for its patch management capabilities, since it might be advantageous and less expensive to maintain the same architecture for both functions, especially if it already works well in your environment. However, if you change your mind, the functionality will be more difficult to remove because the single-vendor approach means the software is embedded more deeply into your architecture.
Agent versus agentless. As Shavlik explains, agentless systems are based on push technology and on a centralized design. Server-based software scans the machines in the enterprise and initiates all actions on those machines. With agent-based solutions, client-based software scans the machine and communicates its findings back to the central console.
Agentless systems are best for networks with large amounts of available bandwidth and connected machines. Agent-based systems are best for environments with frequently disconnected machines, such as mobile PCs, and distributed networks with remote locations that have limited bandwidth.
"With an agent-based system, you get more operational control and better ability to do inventory scanning and monitoring," Colville says. "What you give up is ease of deployment and lower management effort, and you'll pay a higher price."
Dos and Don'ts of Patch Management
DO decide between agent-based or agentless. Mark Starry, director of enterprise architecture at Concord Hospital in Concord, N.H., decided on an agent-based system from BigFix in 2004 because he thought it would better fulfill his compliance needs. The system enables him to report in real time on which patches were actually installed, not just which patches were deployed. Although it's unlikely, he would also be able to detect whether a user uninstalled a patch. He also found the BigFix agent to have a smaller footprint than other options at the time.
Starry also finds it useful that the agent can report on what software is installed on which PC, not just what is listed in the registry. "We know in a second which of our 5,000 machines are vulnerable, so we're able to react that much more quickly," he says. He can also scan
Post new comment